CVE-2025-10416 is a SQL Injection vulnerability found in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability exists in the /ajax.php endpoint, specifically when the 'action' parameter is set to 'delete_supplier' and the 'ID' argument is manipulated. This improper input validation allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The injection can lead to unauthorized access to the backend database, potentially exposing sensitive supplier data, modifying or deleting records, or even escalating to full system compromise depending on the database privileges. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known to be actively used in the wild, proof-of-concept code is publicly available, increasing the risk of exploitation. The lack of a patch or vendor-provided mitigation at this time further elevates the threat to users of this system. Given that this system is used for grocery sales and inventory management, exploitation could disrupt supply chain operations and lead to financial losses or data breaches.

For European organizations using the Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a risk to the confidentiality and integrity of supplier and inventory data. Attackers exploiting this flaw could manipulate supplier records, disrupt inventory tracking, or extract sensitive business information, potentially leading to operational disruptions and financial damage. In the context of European data protection regulations such as GDPR, unauthorized access to personal or business data could result in regulatory penalties and reputational harm. Additionally, since grocery supply chains are critical infrastructure components, exploitation could indirectly affect availability of goods, impacting consumers and business continuity. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system takeover without additional vulnerabilities or misconfigurations. However, the ease of remote exploitation without authentication makes it a notable risk for organizations relying on this software for daily operations.

Organizations should immediately assess their use of Campcodes Grocery Sales and Inventory System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block SQL injection patterns targeting the /ajax.php?action=delete_supplier endpoint can reduce exposure. Input validation and parameter sanitization should be enforced at the application level to prevent injection attacks. Network segmentation can limit access to the vulnerable system from untrusted networks. Regular database backups and monitoring for unusual query patterns or data changes can help detect and recover from exploitation attempts. Additionally, organizations should conduct security audits and penetration testing focused on injection vulnerabilities and ensure that database accounts used by the application have the least privileges necessary to limit potential damage.